Over the last couple of weeks, everyone in the IT industry has been keeping a close eye on a new class of security attacks that are taking advantage of a design flaw in modern computer processors. This is an industry-wide issue, not a problem specific to any operating system, hypervisor, or application. There are three separate vulnerabilities that were discovered and reported by multiple security teams, named Spectre (variant 1 & 2) and Meltdown (variant 3).
|Vulnerability||CVE||Exploit Name||Public Vulnerability Name|
|Spectre||2017-5753||Variant 1||Bounds Check Bypass|
|Spectre||2017-5715||Variant 2||Branch Target Injection|
|Meltdown||2017-5754||Variant 3||Rogue Data Cache Load|
Since public disclosure, there have been misunderstandings and inaccurate reporting on these vulnerabilities. One of the reasons for this is that there are three separate vulnerabilities and reports are often not differentiating between them. Another reason is that these vulnerabilities impact lower layers of the stack, which are less familiar to administrators responsible for software running at the higher layers.
Much has already been written about Meltdown and Spectre. All three variations could allow unprivileged code to read privileged memory locations, however it is important to differentiate between them, as there are different mitigations for each of them. Below is a simple summary table based on our understanding to date:
|Ease of exploitation||Easy||Hard(er)|
|Ease of mitigation||Easy||Hard|
|Processors impacted||Intel, some ARM||Intel, AMD, ARM|
|Requires firmware update?||No||Yes (variant 2)|
So, what is so special about these vulnerabilities? A few different aspects are unique.
- Hardware-based attack – the vulnerability is in the hardware, which creates certain challenges; these can’t simply be fixed with a patch. Various software vendors (including Citrix) have been working on software mitigations for this hardware issue. If you wanted to solve the root cause of this issue, you would need to modify the logic of modern processors, but also manufacture these chips, distribute, and replace in all the devices, which would be extremely costly. This is the reason these exploits are being mitigated on an operating system or hypervisor level, rather than fixing the hardware itself.
- Invisible vulnerability – these vulnerabilities are using a side-channel attack. It’s an attack (or rather data extraction) that is using information from physical implementation of computer systems, rather than software bugs. In this specific example, it’s a timing-based data extraction (data from cache is returned faster than non-cached data). Meltdown/Spectre are using this technique, which makes them very hard to detect using traditional tools.
- Performance hit – one of the side effects of mitigating the hardware vulnerabilities through software patches is the fact that these mitigations are more “expensive” from performance perspective than fixing the issue in hardware. While we have seen various benchmarks and preliminary reports, it should be noted that these reports have limited value because the situation has not yet stablilized and patches are still being developed and updated. The first generation of hotfixes are addressing the outstanding security issues and might not be as effective as they could from a performance perspective. Once the security threat is mitigated, we are probably going to see more optimized patches. It is also important to understand that since there are many variables involved, each environment and workload is going to see different results.
One of the most common mistakes is mixing all these different variations together. Each variant requires a different a approach and is going to have a different impact on workloads. Only Spectre variant 2 requires a firmware upgrade, Spectre variant 1 and Meltdown can be fixed using a software mitigation. Spectre will most likely require a combination of operating system updates, silicon updates, updated compilers and recompiled applications.
Instead of waiting until all hotfixes are available, organizations should start planning and executing a cautious rollout. It is important to understand that patches for variants 1 & 3 are already available and microcode update is NOT required.
To better assist our customers and partners, we are running our own internal tests now and are planning to provide updated guidance and recommendations as soon as available. We would like to explain different variables that can impact performance of your workloads and provide tips on how you can minimize the potential performance impact.
The Citrix Security bulletin discussing impacted Citrix products and mitigations is available here: https://support.citrix.com/article/CTX231399. And you may register for notifications of security bulletins and updates at https://support.citrix.com/user/alerts.
Citrix TechBytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.
Want specific TechBytes? Let us know! email@example.com